Password aging requires rootdn write access to all passwords?

Hello,

While trying to setup an LDAP-server for user authentication on linux
desktop-client PC's with pam_ldap I stumbeled upon the following issue:

Password-aging only seems to work when a "rootdn" is configured and has
write access to the userPassword attribute of all users. If the "rootdn"
doesn't have write-access and I try to log in using an account with an
expired password I do get the warning and the opportunity to change the
password. But when submitting the new password I get: "LDAP password
information update failed: insufficient access".

We are planning to distribute the pam-ldap configuration (including
/etc/ldap.secret) to at least a few hudreds of desktop client PC's. I
know that the /etc/ldap.secret is read-only for non-root users, but it
seems quite a big security issue to have a plain-text password in a file
that will enable anybody with a live-CD to read the rootdn password.  
That means hacker skills are hardly required to wipe or change the
password of all our account in LDAP in just a few minutes.

While the file "LDAP-Permissions.txt" that ships with pam-ldap does
mention this, I'm a bit puzzled why it needs to be like that: When for
example "gdm" or the "login" program lets me change my aged password it
already has asked my current password. So it seems to me pam-ldap should
be able to re-bind as the user itsef in order to change his/her
password. That way only the user account itself need write access to its
own userPassword attribute.

Am I mistaking, did I miss something, or is there a workaround?
Could someone please show me wrong?

Regards,  Heiko Noordhof